Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
38
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
Example
user=bob {
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
foundry-privlvl = 4
privlvl = 15
}
}
default service = permit
member admin
#Global password
global = cleartext "cat"
service = exec {
foundry-privlvl = 4
privlvl = 15
}
}
In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl =
15 A-V pair is ignored by the Brocade device.
If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5
(read-only) is used.
(read-only) is used.
Configuring command authorization
When TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ server
to get authorization for commands entered by the user.
to get authorization for commands entered by the user.
You enable TACACS+ command authorization by specifying a privilege level whose commands
require authorization. For example, to configure the Brocade device to perform authorization for the
commands available at the Super User privilege level (that is, all commands on the device), enter
the following command.
require authorization. For example, to configure the Brocade device to perform authorization for the
commands available at the Super User privilege level (that is, all commands on the device), enter
the following command.
Brocade(config)# aaa authorization commands 0 default tacacs+
Syntax: aaa authorization commands privilege-level default tacacs+ | radius | none
The privilege-level parameter can be one of the following:
•
0 – Authorization is performed for commands available at the Super User level (all commands)
•
4 – Authorization is performed for commands available at the Port Configuration level
(port-config and read-only commands)
(port-config and read-only commands)
•
5 – Authorization is performed for commands available at the Read Only level (read-only
commands)
commands)
NOTE
TACACS+ command authorization can be performed only for commands entered from Telnet or SSH
sessions, or from the console.
sessions, or from the console.
TACACS+ command authorization is not performed for the following commands:
•
At all levels: exit, logout, end, and quit.
•
At the Privileged EXEC level: enable or enable text, where text is the password configured for
the Super User privilege level.
the Super User privilege level.
If configured, command accounting is performed for these commands.
AAA support for console commands
AAA support for commands entered at the console includes the following:
AAA support for commands entered at the console includes the following:
•
Login prompt that uses AAA authentication, using authentication-method lists